Skills
skills/everyinc/compound-engineering-plugin/generate_command/Gen Agent Trust Hub

generate_command

Pass

Audited by Gen Agent Trust Hub on Mar 12, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSNO_CODE
Full Analysis
  • [PROMPT_INJECTION]: The skill uses the #$ARGUMENTS placeholder to insert user-provided requirements directly into the generated skill's goal section, representing a surface for indirect prompt injection.
  • Ingestion points: User input provided via command arguments is interpolated into the generated SKILL.md file.
  • Boundary markers: No explicit delimiters or instructions to ignore embedded commands are provided around the interpolated user content.
  • Capability inventory: The template encourages the use of powerful tools including Bash (command execution), File Operations (reading/writing files), WebFetch (network access), and Playwright (browser automation).
  • Sanitization: The skill does not implement validation or sanitization of the input arguments before interpolation.
  • [COMMAND_EXECUTION]: The instructions describe using the Bash tool to perform development tasks such as running tests, linters, and git commands.
  • [EXTERNAL_DOWNLOADS]: The documentation suggests using WebFetch and WebSearch tools to retrieve external documentation and data.
  • [NO_CODE]: The skill consists entirely of markdown instructions and does not include any accompanying executable scripts or binary files.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 12, 2026, 03:33 PM